UserGuide Manual Nertqualizer

User Guide
NetEqualizer User Guide
Copyright 2005, 2006, 2007, 2008, 2009, 2010 APConnections.
All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of APConnections, Inc.
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 1 of 52
All rights reserved rev. 20100921
User Guide
Table of Contents
Where to Install NetEqualizer ............................................................................ Setting your Trunk Size .................................................................................... Equalizing (Default Mode) ................................................................................. Modifying Equalizing Parameters ......................................................................... 3 4 5 7
Using the RATIO Parameter to Influence Default Mode ......................................................... 7 Parameters to Adjust Equalizing Sensitivity ...................................................................... 7 Parameters to Size Internal Tables ................................................................................. 9 Viewing your Parameter Settings ................................................................................. 10
Bandwidth Rules: Priority and Limits .................................................................. 11

Bandwidth Priority Rules ........................................................................................... 11
Setting Priority Hosts ...................................................................................................... 12
Bandwidth Limiting Rules .......................................................................................... 12

Setting Connection Limits ................................................................................................. 12 Setting Hard Limits by IP .................................................................................................. 14 Adding "Bursting" to Hard Limits ......................................................................................... 15 Setting up Bandwidth Pools ............................................................................................... 16 Setting Hard Limits by VLAN .............................................................................................. 18 Setting Hard Limits by MAC address ..................................................................................... 19
Removing Bandwidth Priority or Limiting Rules ................................................................ 19
Bandwidth Usage .......................................................................................... 20

Setting User Quotas (User-Quota API) ........................................................................... 20 MAC Redirection ..................................................................................................... 21 Masking Off Traffic .................................................................................................. 22
Monitoring and Reporting ................................................................................ 24

Real-time Reporting ................................................................................................. 24
To view Instantaneous Bandwidth Usage ................................................................................ 24 To view all Active Connections ........................................................................................... 26 Show the NetEqualizer Log File .......................................................................................... 27 Show MAC address for Active IPs ......................................................................................... 29
Historical Reporting ................................................................................................. 29

Graphical Reporting ........................................................................................................ 29 Start ntop automatically when your NetEqualizer is rebooted ...................................................... 30 Recommended ntop reports ............................................................................................ 31 Creating an ntop data warehouse to report on > 1 month history .................................................. 33 Setting up NetEqualizer to use your ntp Time Server ................................................................. 33
Tips and Tricks ............................................................................................. 35 Appendix 1- Parameter Settings, Units, and Defaults ................................................ 38 Appendix 2 - Setting/Forcing LAN Speeds and Duplex ............................................... 39 Appendix 3 - Tuning Hard Limit, VLAN, and Pool Sensitivity ........................................ 41 Appendix 4 - Packet Capturing for taps such as CALEA .............................................. 43 Appendix 5 - Network Access Control (NAC) ........................................................... 45 Appendix 6 - NetEqualizer User-Quota API (NUQ API) Programmer's Toolkit ...................... 48
User Guide
Thank you for purchasing a NetEqualizer. You are now on your way to achieving "Faster Networks, With Zero Maintenance, At The Best Prices". Using NetEqualizer in default factory mode will take care of almost all network congestion and priority traffic flow requirements, and is the recommended operational mode for most customers. However, NetEqualizer also offers a wide range of bandwidth control options, while at the same time allowing you to keep it simple. NetEqualizer Quick Start Guide To perform your initial installation, you should reference the NetEqualizer Quick Start Guide. This contains the basic setup details and minimal settings required to get you up and running. A hard copy is included in your shipping box. We also email a PDF copy with your shipping confirmation email. Note: The NetEqualizer Quick Start Guide is a step-by-step instruction manual. NetEqualizer User Guide The NetEqualizer User Guide is intended to walk through NetEqualizer features in more detail than our NetEqualizer Quick Start Guide. It also includes appendices describing our add-on modules. Once up and running, it is a good idea to review this entire NetEqualizer User Guide, to become familiar with all of the advanced features available to you. Note: The NetEqualizer User Guide is not a step-by-step instruction manual. For Additional Help Should you need further assistance setting up your NetEqualizer, please call our Support Team at 303.997.1300 x102 or email support@apconnections.net. If you purchased through an authorized distributor or reseller, check with them first to determine if they support you directly.
Where to Install NetEqualizer

NetEqualizer can be installed on any link whose traffic you would like to shape. For maximum effectiveness, most users should install NetEqualizer between the network users and the Internet trunk. Traffic running between your network and the Internet is generally a constriction point in traffic flow where many users compete for this limited resource. By placing your NetEqualizer at this junction you will automatically optimize your Internet speed. The NetEqualizer operates as a Transparent Bridge on your network. There is typically no need to change anything in your network configuration to install the appliance. Simply install the NetEqualizer between your Router and Network Switch, or anywhere you can see the individual IP addresses you wish to shape. Set-up using the Quick Start Guide to modify any factory default settings, and then access it via a Web Graphical User Interface. Note: For a detailed list of the steps necessary to get up and running, please see the NetEqualizer Quick Start Guide. If you do not have a copy of the Quick Start Guide, please request one by calling our Support Team at 303.997.1300 x102 or emailing support@apconnections.net.
User Guide
Setting your Trunk Size
NetEqualizer allows for different speeds for outbound and inbound links. The parameters are TRUNK_UP (outbound) and TRUNK_DOWN (inbound). These parameters are set in bytes/per second, and are used by the NetEqualizer so it can react and take action when your trunk is at capacity. From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you should see TRUNK_UP and TRUNK_DOWN Set TRUNK_UP and TRUNK_DOWN to the match your network capacity. Set these parameters to the size of your network pipe for outbound traffic (TRUNK_UP) and inbound traffic (TRUNK_DOWN). We use these parameters to determine when to start Equalizing. Making either of these parameters larger than your actual trunk size will make the shaping rules less restrictive. Making them smaller than your actual trunk size will make them more restrictive. Note: TRUNK_UP and TRUNK_DOWN do not enforce the link speed from your provider. We assume your provider has already enforced your contracted speed. You need to stop and restart the NetEqualizer process for changes to take effect after changing your Trunk Size. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq, then Click on Miscellaneous->Start NetEq
User Guide
Equalizing (Default Mode)
Equalizing is a simple concept. It is the art form of looking at the usage patterns (aka traffic behaviors) on the network, and then when things get congested, robbing from the rich to give to the poor. Rather than writing hundreds of rules to specify allocations to specific traffic as in traditional application shaping, you can simply assume that large downloads are bad, short quick traffic is good, and be done with it. This behavior-based approach usually mirrors what you would end up doing if you could see and identify all of the traffic on your network, but doesnt require the labor and cost of classifying everything. Applications such as web surfing, instant messaging (IM), short downloads, and VoIP all naturally receive higher priority, while large downloads and p2p receive lower priority. This behavior-based shaping also does not need to be updated constantly as applications change. Once equalizing is in place, it automatically shapes your network when it is congested, using algorithms to implement "fairness". The concept of fairness enables your network to continue providing quick response times to the majority of your users while restricting the network hogs. Low bandwidth users do not have to share the pain of a slow, congested network with the network-hogging applications. Equalizing does this by using our proprietary algorithms to implement fairness. First, equalizing tracks how much bandwidth is being used. If bandwidth used is over a predefined level, the network is considered congested. Once the network is considered congested, equalizing looks at every connection (IP address pair) and puts a PENALTY on those that are over a predefined level. This process continues until network congestion eases. NetEqualizer is the only tool on the market to offer bandwidth shaping in these 3 modes: Equalizing. Default Rules only (simplest) Default Rules = on. Custom Rules have not been defined. Balances your traffic all the time giving priority to short, bursty-type traffic such as web surfing, chat sessions, VoIP, and e-mail. Default Rules & Custom Rules (most customized) Default Rules = on. Custom rules have been defined. A combination of custom rules, such as hard limits by VLAN, Pools, IP address, subnet, or MAC address, with the safety valve of Default Rules on in the background. Custom Rules only (not recommended) Default Rules = off. Custom Rules have been defined. Equalizing is not used in this mode, as the Default Rules are off. Traffic is not being balanced. Control is by custom rules only, such as hard limits by VLAN, Pools, IP address, subnet, or MAC address. NetEqualizer comes configured to automatically start up with Equalizing turned on (aka "default mode"). Default Mode enables the network to deliver traffic equalizing for the
User Guide
most common situations, without the need for expertise in complex traffic shaping rules. You can check if you are in currently in Default Mode. From the Web GUI Main Menu, Click on ->Miscellaneous->Show NetEq Config In the configuration displayed on the screen, you should see DEFAULT_RULES = on Once NetEqualizer is installed and running, a review of the Standard Log File will allow you to monitor and analyze how NetEqualizer is responding to your networks traffic. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show the log Applying Penalties When your network is experiencing moderate to heavy use, you will see entries containing the word PENALTY followed by two IP addresses in the log. PENALTY indicates that NetEqualizers built-in fairness rules have determined that the communication link between these two IP addresses (a connection) is using too much bandwidth, so NetEqualizer has issued a penalty against this connection. The penalty causes all data on that connection to slow down. At periodic intervals, if NetEqualizer determines that this connection is still using too much bandwidth, it will increase the delay on the connection. The PENALTY will be removed in a few seconds should the congestion on your Network subside. NetEqualizer bases its decision to issue penalties based on built-in fairness rules: The persistence of the user's connections. We look at the length of time the connections have been live. The longer the time, the more likely a penalty. The amount of bandwidth used relative to the total size of the trunk. The number of users on the trunk. The more users active on the trunk, the less bandwidth NetEqualizer will allow per user before issuing a penalty. Is the overall trunk saturated? A trunk is saturated when it reaches the percentage defined by the RATIO parameter (default RATIO = 85%). Equalizing and Peer-to-Peer Traffic In addition to our fairness rules, NetEqualizer offers Connection Limits as a way to handle peer-to-peer (P2P) traffic. As P2P traffic may be short, bursty-type traffic, another mechanism is needed to control it adequately. Connection Limits enable you to define how many connections each user on your network can open. This will cut down P2P, which tries to open 100's to 1000's of connections on your network. We believe this mechanism to be superior to managing policy files of known P2P traffic types (which will not help with encrypted P2P in any case). Both encrypted and unencrypted P2P traffic are Connection Limited. This is described in more detail in Setting Connection Limits.
User Guide
Modifying Equalizing Parameters
Each equalizing parameter is discussed in detail below. For a summary of all equalizing parameters, please see Appendix 1, which contains a one-page cheat sheet with the default settings and recommendations.
Using the RATIO Parameter to Influence Default Mode

RATIO Parameter (units are percent, Default = 85) NetEqualizer's RATIO parameter enables you to influence Default Mode. The RATIO parameter refers to the network utilization on a percentage basis. RATIO can be set from 1 to 100. A value of 100 tells NetEqualizer not to have the default rules kick in until the trunk is 100 percent utilized; a value of 85 would have the rules kick in at 85 percent utilized. To change the RATIO Parameter From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you can set RATIO to a value from 1 to 100. RATIO determines when Equalizing kicks in on your network trunk. This supplements any custom rules that you have set-up. When you lower RATIO, Equalizing will kick-in sooner (making equalizing more sensitive). When you raise RATIO, Equalizing kicks in later (making equalizing less sensitive). Why RATIO is helpful Sometimes the sheer volume of users on the network cannot be controlled by the custom rules you have implemented. For example, setting a per-user limit of 512kbs will prevent a user from going over the 512kbs prescribed level; but if 20 of your users get on at one time with large downloads, a T1 trunk, for example, is quickly overwhelmed (to set custom rules, such as per-user limits, please see Bandwidth Rules: Setting Priority and Limits). The Default Rules that kick in at 85 percent trunk utilization, or the value you have set RATIO to, provide a unique safety valve for busy hours when your trunk gets full. Note: The RATIO parameter is applied to the Default Rules and also to any Bandwidth Pools that you have established. It has no affect on other Custom Rules that you define, such as per-user limits.
Parameters to Adjust Equalizing Sensitivity

In some instances, NetEqualizers default rules may need to be custom tuned for sensitivity. For example, if streaming music feeds break midstream at times when the total usage on the trunk is light, it might be because NetEqualizer is tuned to be too sensitive. From the Web GUI Main Menu, Click on ->Parameters->Modify parameters www.netequalizer.com Page 7 of 52
User Guide
In the table displayed on the screen, you can modify the following parameters to adjust equalizing sensitivity: TRUNK_UP and TRUNK_DOWN (units are bytes/per second, Default = T1) Set these parameters to the size of your network pipe for outbound traffic (TRUNK_UP) and inbound traffic (TRUNK_DOWN). Making either of these parameters larger than your actual trunk size will make the shaping rules less restrictive. Making them smaller than your actual trunk size will make them more restrictive. Alternatively, you can reduce RATIO to make shaping rules more restrictive. From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you should see TRUNK_UP & TRUNK_DOWN You need to stop and restart the NetEqualizer process for changes to take effect after changing your Trunk Size. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq then Miscellaneous->Start NetEq PENALTY_UNIT (units are 100ths of seconds, Default = 5) PENALTY_UNIT is the unit of time that NetEqualizer will start with when delaying a packet of Internet data. It iteratively increases penalties by this value should a hog not respond to the initial penalty. By increasing the size of this parameter, the NetEqualizer will scale back hogs more quickly. Note that the higher your network speed, the more sensitive it is to PENALTY_UNIT. The default value of 5 will work fine on any network, but if you see the NetEqualizer slowing streams too severely, you may want to reduce this value. Here are some recommended settings for PENALTY_UNIT, based on network size: Network Size < 5Mbps >= 5Mbps to 45Mbps * >= 45Mbps PENALTY_UNIT 5 or 6 2 or 3 1
* Networks much larger than 45 megabits may require a PENALTY UNIT resolution smaller than 100ths of seconds. In the NetEqualizer Web GUI, the smallest penalty that can be applied to an IP Packet is 1/100 of a second. If you are finding that a default PENALTY of 1 is putting too much latency on your connections then you can adjust the PENALTY unit to 1/1000 of second with the following command: From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command Type in: /bridge/bridge-utils/brctl/brctl rembrain my 99999 MAX_PENALTY (units are 100ths of seconds, Default = 140) This is the maximum delay that NetEqualizer will allow. NetEqualizer increments a delay by the value of PENALTY_UNIT every few seconds in the event a connection continues to use excessive bandwidth, until MAX_PENALTY is reached. A MAX_PENALTY of 200 (2 seconds) usually kills the connection altogether, as most servers on the Internet give up communicating when communications lag for more than two seconds. www.netequalizer.com Page 8 of 52
User Guide
HOGMIN (units are bytes per second, Default = 12,000) HOGMIN defines the minimum traffic level for which connections will not be penalized. In other words, a connection using less bandwidth in bytes per second than this number will never get penalized. The default value of 12,000 bytes per second (96kbs) will ensure that most VoIP traffic is never accidentally throttled back when NetEqualizer reaches a congestion threshold, as VOIP will be below HOGMIN. With larger network pipes, you may want to raise HOGMIN to allow more traffic types to pass without being penalized. Here are some recommended settings for HOGMIN, based on network size: Network Size < 100Mbps >= 100Mbps to 1Gbps * >= 1Gbps HOGMIN 12,000 20,000 40,000
HOGMAX (units are bytes per second, Default = 1,000,000) Legacy variable (no longer visible on the latest NetEqualizer Web GUI) but it must be larger than HOGMIN at all times. Note: If you manually edit the NetEqualizer configuration file, you will see HOGMAX in the configuration. Please keep it set to its default value of 1,000,000. MOVING_AVG (units are seconds, Default = 8) MOVING_AVG keeps NetEqualizer from penalizing short bursts of activity. For example, if this variable is set to 8 and the network is hit with a burst of 8000 bytes over a second from an IP address, the moving average for the second would be 8000/8 or 1000 bytes. If the burst persisted for four seconds, the average would be 32000/8 or 4000 bytes. The larger this number, the longer a burst can be before it gets penalized. Note that if this parameter is set too high, nothing will ever get penalized. The preset value for MOVING_AVG from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed. ANCIENT (units are seconds, Default = 20) How long to keep a penalty in effect, in seconds. The preset value for ANCIENT from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed.
Parameters to Size Internal Tables

From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you can modify the following parameters to size internal tables:
User Guide
BRAIN_SIZE (# of connections to track in 1 second, Default=10,000) BRAIN_SIZE determines how many connections NetEqualizer watches at one time. NetEqualizer keeps a mini-history of the activity of all users on a trunk. It uses this database to make decisions on who is using too much bandwidth. Here are some recommended settings for BRAIN_SIZE, based on network size: Network Size < 1Gps >= 1Gbps to 5Gbps * >= 5Gbps BRAIN_SIZE 10,000 20,000 30,000
Note: NetEqualizer can handle up 2 million or more connections every minute. We point this out as many customers compare our connection ability with that of their Router, which uses a timeframe of minutes. To see the contents of the Connection Table From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections BUFFERS (no longer on Web GUI, Default = 900) Legacy variable (no longer visible on the latest NetEqualizer Web GUI). BUFFERS controls the number of connections that can simultaneously be penalized (slowed down). When NetEqualizer sets a penalty on a connection, it assigns a delay buffer to this connection to slow it down. NetEqualizer reserves a finite number of delay buffers when it powers up. The preset value for BUFFERS from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed. Note: If you manually edit the NetEqualizer configuration file, you will see BUFFERS in the configuration. Please keep it set to its default value of 900.
INACTIVE_TICS (units are hundredths of seconds, Default = 200) This is how long an entry in the BRAIN_TABLE will live before being removed if no activity is detected. Generally we are not interested in connections that are idle. For example, a value of 200 for this parameter instructs the NetEqualizer to cancel tracking a connection after 2 seconds.
Viewing your Parameter Settings

Once you have set all your parameters, you can view your current parameter settings. From the Web GUI Main Menu, Click on ->Parameters->Browse parameters Current parameter settings are listed on the screen in the "[PARAM all]" section.
User Guide
Bandwidth Rules: Priority and Limits
NetEqualizer's default equalizing rules (default mode) are able to handle congestionrelated traffic flow problems for most organizations. Most types of traffic that organizations want to prioritize are prioritized by default just by using the default equalizing rules. However, some organizations need to setup Bandwidth Rules for specific traffic types, either to change their priority or to limit their bandwidth usage. NetEqualizer supports two types of Bandwidth Rules: Bandwidth Priority Rules Gives known IP addresses and their associated streams preferential treatment. Bandwidth Priority Rules are most often used for video traffic. For example, if a business is streaming training videos into corporate offices, a "Priority Host" Rule would need to be set up to prioritize the IP address of the server or site hosting the training videos. Bandwidth Limiting Rules Limits the amount of bandwidth a specific IP address or set of IP addresses can use. Typically used to carve out maximum bandwidth usages for a particular subscriber base. For example, a college network administrator may want to set up separate bandwidth usage categories with separate bandwidth limits for each of three subnets: 1) students, 2) faculty, and 3) administrators. This would be accomplished by using the "Pools" Bandwidth Limiting Rule, which can be used to set up three separate pools, each with their own bandwidth limit: Pool1 = students 2Mbps up/1Mbps down Pool2 = faculty 5Mbps up/2Mbps down Pool3 = administrators 3Mbps up/1.5Mbps down
Bandwidth Priority Rules

How does NetEqualizer grant priority for IP addresses? NetEqualizer recognizes two classes of traffic: 1. Priority Traffic 2. Data Traffic When Priority Traffic is detected, the bandwidth allocation for rest of the Data Traffic is reduced. When NetEqualizer identifies a priority IP address, it typically performs the following process: a. A priority IP address becomes active b. NetEqualizer dynamically reduces the data congestion ratio (RATIO parameter) by a few percent c. This action (b) forces the PENALTY mechanism to kick in a bit sooner for nonpriority streams, thus reserving space for your priority traffic
User Guide
d. Priority traffic is given immunity to flow control. These streams will not be slowed by PENALTIES applied in Equalizing (Default Mode). However, any Bandwidth Limiting Rules, such as Hard Limits, will remain in effect.
Setting Priority Hosts

To set up a Priority Host, also known as a Priority IP Address From the Web GUI Main Menu, Click on ->Add Rules->Priority Host Priority Host allows you to select a specific IP address for priority treatment. Once set, this IP address, and any connection it is part of, will receive priority. The VAL field in the set up tab specifies how much bandwidth to allocate for each connection using this IP address. NOTE: Use Priority Host sparingly. The most common mistake for new installations is to try to give priority to all important business applications. This is rarely actually needed, as most business applications will already be getting preferential treatment from default Equalizing (Default Mode). Priority traffic is assured bandwidth, up to the size of your network pipe, and your data traffic is dynamically pushed into a smaller bandwidth window. Note that if you set too many priority hosts, you will push all your remaining traffic into a very small window. Factory delivered, NetEqualizer defaults are set to perform congestion control on your trunk when it becomes 85 percent full. In most cases, important business applications, such as VoIP, citrix, blackboards, web browsing, and e-mail will receive preferential treatment, and therefore there is no need to assign priority. In general, we find that only video servers require priority treatment.
Bandwidth Limiting Rules

NetEqualizer also enables you to limit the amount of bandwidth a specific IP address or set of IP addresses can use. There are multiple ways to configure this in the NetEqualizer, to best meet your needs. We will go through each in detail below: 1. 2. 3. 4. 5. 6. Connection Limits Hard Limits by IP Adding Bursting by IP Bandwidth Pools VLAN Hard Limits Hard Limits by MAC Used to control peer-to-peer traffic. Individual limits by IP or subnet. Burst a Hard Limit by IP. Shared limits by IP or subnet. Shared limits by VLAN. Individual limits by MAC address.
Setting Connection Limits

(back)
Connection Limits control the number of inbound and outbound data streams (IP pairs or "connections") that each user on your network can create. Connection Limits are bi-directional; any limit you set is divided in two and applied. For example, a Connection Limit of sixty (60) would be turned into two connection limits: thirty (30) inbound and thirty (30) outbound connections.
User Guide
There are more reasons for system administrators to limit connections to a server than we can possibly include in this discussion. The APconnections design team developed this feature within NetEqualizer to lessen the affects of Peer-to-Peer traffic (P2P) and Denial of Service (DoS) attacks, which we will discuss here. Peer-to-Peer traffic attempts to create hundreds, or possibly thousands, of simultaneous connections to absorb a lot of your network bandwidth. Setting Connection Limits effectively blocks or reduces P2P by not allowing connections over the limit you specify. In a DoS attack, storms of incoming connections are generated by hackers with the intention of overwhelming a server or servers. An attacker will spoof requests, sending storms of erroneously addressed connection requests to your server. These request storms create overwhelming administrative overhead, crippling the server and requiring a reboot by IT staff. While there are techniques that attempt to validate the incoming requests by sending queries back to the sending IP address for verification, these approaches create more traffic on the network. Instead of this approach, we chose to address the issue by setting DoS protection via Connection Limits. NetEqualizer Connection Limits keep a total count of active connections (of any type) per IP address. Additional connections are dropped. Connection Limits can be set per individual IP or for an entire subnet at one time. To set up a Connection Limit From the Web GUI Main Menu, Click on ->Add Rules->Connection Limits To see your Connection Limits. From the Web GUI Main Menu, Click on ->Miscellaneous->Show NetEq config You will see something like the following: CONNECTION 10.1.1.11/32 30 0 There will be one row, encompassing both an inbound and outbound Connection Limit, listing half the value you selected (i.e. for VAL=60, you would see 30 in the row as above). The rows will start with "CONNECTION" and also show the IP address(es) that are being connection limited. Most normal users typically peak out at 10 to 15 connections per second each for INBOUND and OUTBOUND traffic, so a Connection Limit of 40 would suffice in most cases. Setting a Connection Limit = 40 is a good recommendation and excellent at controlling most Peer to Peer traffic. Note: If you have online gamers on your network, you may need to set your Connection Limit as high as sixty (60) to facilitate online game playing. Order is important in setting up Individual Connection Limits! If you set up Connection Limits for an entire subnet, and want to have a different Connection Limit apply to an IP address within that subnet, you would need to do the following: Set up Connection Limit for an individual IP address Set up Connection Limit for entire subnet /16, /24, or /32
User Guide
Typically this would be done if you had an e-mail or DNS server within the subnet range that might require additional connections during network operation. We recommend setting Connection Limits = 3,000 for email and DNS servers. To see your Active Connections From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections You can also set up a Global Connection Limit on your network. This would set a connection limit to apply to all IP addresses. To set up a Global Connection Limit From the Web GUI Main Menu, Click on ->Add Rules->Global Connection Limit As with Individual Connection Limits, the Global Connection Limit will be set to half of this value for IN traffic and half for OUT traffic. Note: We recommend using Individual Connection Limits over a Global Connection Limit. This is due to the fact that the limit looks at both the source IP address and the destination IP address in determining a connection limit. While this is fine in many cases, this can have unforeseen consequences where an internet address is accessed at a great frequency. For example, if students on a network all access YouTube, and the broadcast IP address for youtube.com is the same, a Global Connection Limit would cause YouTube to be connection limited. Many students would not be able to access the YouTube website.
Setting Hard Limits by IP

(back)
This command is used to set a fixed amount of individual bandwidth to a single IP address or an entire set of IP addresses specified by a subnet mask (all IP addresses in the subnet range will receive the specified hard limit). Hard limits can be set up for a Class B subnet, Class C subnet, or any legal subnet value 1-32. The bandwidth assigned is not shared. For example, if you set up a 2Mbps up/1Mbps down for four different IP addresses, each IP address will get 2Mbps/1Mbps to use. To set up a Hard Limit by IP From the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP NetEqualizer allows up to 60 thousand (60,000) unique active Hard Limits. Notes: In version 4.7 and above, NetEqualizer supports "bursting" for your Hard Limits. See "Adding Bursting to Hard Limits" for details. Tips on fine tuning the behavior of HARD LIMITS can found in Appendix 3.
User Guide
Adding "Bursting" to Hard Limits
(back)
In addition to setting a Hard Limit by IP address, as of software update 4.7, we have enabled "bursting" above the Hard Limit. Prior to the bursting feature, the top speed allowed for each user was fixed at the set Hard Limit. Now with bursting, a user can be allowed a burst of bandwidth for up to 10 seconds at two, three, four, or any multiple of their base Hard Limit. For example, if a user has an incoming base Hard Limit of 2 megabits a second, and a burst factor of 4, then their inbound connection will be allowed to burst all the way up to 8 megabits for 10 seconds (2Mbps HARD LIMIT x 4 BURST FACTOR = 8Mbps inbound BURST LIMIT), at which time it will revert back to the original 2 megabits per second. If the outgoing base Hard Limit was set to 1 megabit per second, with the same burst factor, the outbound BURST LIMIT would be 4Mbps. This type of burst will be noticed when loading large Web pages loaded with graphics. From a user's perspective, they will essentially fly up in the browser at warp speed. In order to make bursting a special feature, it obviously cant be on all the time. For this reason, by default the NetEqualizer will force a user to wait 80 seconds before they can burst again. To set up Bursting on an IP Address From the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP The last field in the command specifies the burst factor. Leave this field set to 1 for no bursting, or set to a multiple greater than 1 for bursting. BURST FACTOR is multiplied times the incoming and outgoing HARD LIMITs to arrive at the BURST LIMITs (default speed you wish to burst up to). For our example above 2Mbps incoming HARD LIMIT x 4 BURST FACTOR = 8Mbps inbound BURST LIMIT 1Mbps outgoing HARD LIMIT x 4 BURST FACTOR = 4Mbps outbound BURST LIMIT Note: Once bursting has been set-up, bursting on an IP address will start when that IP exceeds its rate limit (across all connections for that IP). The burst applies to all connections across the IP address. To remove Bursting on an IP Address You must remove the Hard Limit on the IP address and then recreate the Hard Limit by IP without bursting defined. From the Web GUI Main Menu, Click on ->Remove/Deactivate Rules Select the appropriate Hard Limit from the drop-down box. Click on ->Remove Rule To re-add the rule without bursting, from the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP and leave the last field set to 1. There are two global burst parameters that apply to all bursting that you have setup. These are BURST DELAY, time between bursts, and BURST DURATION, how long a burst lasts. BURST DELAY is defaulted to 80 seconds. BURST DURATION is defaulted to 10 seconds.
User Guide
To change the global burst parameter defaults... From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command In the space provided you would type in the following command: /usr/sbin/brctl setburstparams my 40 30 (assuming you wanted the BURST DELAY to be 40 and BURST DURATION to be 30) The first parameter, BURST DELAY, is the time, in seconds, an IP must wait before it can burst again. If an IP has done a burst cycle it will be forced to wait this long in seconds before it can burst again. BURST DELAY is defaulted to 80 seconds. This means that an IP address will wait 80 seconds after its last burst duration completes before bursting again. The second parameter, BURST DURATION, is the time, in seconds, an IP will be allowed to burst before being relegated back to its base Hard Limit. Note: At this time, the global burst parameters are not persistent, meaning you will need to put a command in the startup file (autostart) if you want them to stick between re-boots. You need to add this line to the bottom of the autostart file. To edit the autostart file... From the Web GUI Main Menu, Click on ->Miscellaneous->Edit autostart Add the following line at the bottom of the autostart file to change your global burst parameter settings /usr/sbin/brctl/setburstparams my 40 30 Bursting and Speed Tests With the default settings of 10 second bursts and an 80 second time out before the next burst, it is unlikely a user will be able to see their full burst speed accurately with a speed test site. The easiest way would be to extend the burst time to minutes, instead of the default 10 seconds, and then run the speed test. With the default set at 10 seconds, the best way to see a burst in action is to take a continuous snap shot of an IPs consumption during an extended download. Note: Before you implement bursting, you may want to consider the downside of bursting. See our 2009 blog article on this subject.
Setting up Bandwidth Pools

(back)
A Bandwidth Pool is a collection of IP addresses that share a bandwidth allocation. Once IP addresses are contained within a bandwidth pool, the sum total of bandwidth for all the IP addresses will not be allowed to exceed more than the total bandwidth allocated to the bandwidth pool. For example, if four IP addresses are set in a pool, and the pool bandwidth is set at 1Mbps, then the total bandwidth for all four IPs is 1Mbps (the total, not per IP). Pools were added to NetEqualizer to accommodate cases where bandwidth is advertised and sold as "you are one of n customers sharing x bandwidth".
User Guide
Think of a pool as a "virtual NetEqualizer". You can group users into logical trunks by IP address and apply equalizing technology to each logical group (bandwidth pool). For the example above, equalizing will occur across the four IPs in the 1Mbps bandwidth pool. Equalizing is performed in the same fashion as across your entire network trunk, but in this case it equalizes within the bandwidth pool. When the total bandwidth threshold for that pool is reached, determined by the RATIO parameter, then any large connections (over HOGMIN) associated with IP addresses within the bandwidth pool will be penalized. Virtual equalizing was added for network topologies where bandwidth congestion is occurring at nodes in the network, not necessarily at the WAN/LAN connection. For example, this could be occurring in a wireless network where bandwidth congestion occurs at the wireless hotspots or in the backhaul connections. Individual bandwidth pools can be defined with the IPs of users at each hotspot and equalizing applied per hotspot. Another example would be using bandwidth pools to set up equalizing at the subnet level. For example, a university may split their network into faculty, administrators, and student subnets. Each of these subnets could be defined as a bandwidth pool, with separate upload/download speeds that are shared by all users in the pool. To set up a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Add Pool Large Bandwidth Pools (>=10Mbps) In software update 4.7 and above, pool limits were enhanced for Large Bandwidth Pools (a bandwidth pool >=10 Mbps). We smoothed our rate limits so that packets are slowed down progressively before dropping packets. In order to implement this feature, you will need to run a tuning command. Please see Appendix 3 for instructions on how to tune the NetEqualizer to handle Large Bandwidth Pools. Once a Bandwidth Pool is in the system, you can add and remove members To Add or Remove Members to a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Add Member or Remove Member Notes: 1) You can add individual IP addresses or entire subnets to Bandwidth Pools. 2) IP addresses within a Bandwidth Pool need not be contiguous. You can add members to a Bandwidth Pool in any order. 3) Bandwidth Pools cannot overlap with Hard Limits by IP. Once an IP address is in a Bandwidth Pool it may not also exist as an individual Hard Limit. You will get an error if you try to add an IP addresses to a Bandwidth Pool that already exists as a Hard Limit. 4) If you create a Priority Host IP address, and the IP address exists within a Bandwidth Pool, it will receive priority over other IP addresses within the pool. To view all current Bandwidth Pools on your systems From the Web GUI Main Menu, Click on ->Bandwidth Pools->View Pools To view all IP addresses assigned to Bandwidth Pools From the Web GUI Main Menu, Click on ->Bandwidth Pools->View Members www.netequalizer.com Page 17 of 52
User Guide
Then select the Pool # of the Bandwidth Pool in the dropdown box. To see Bandwidth Pools in the NetEqualizer Log file Bandwidth usage for defined bandwidth pools is reported every 20 seconds in the standard NetEqualizer Log. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show the Log To remove a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Remove Pool Note: You do not need to remove all members from a Bandwidth Pool before you can remove it. You need to stop and restart the NetEqualizer process for changes to take effect after removing a bandwidth pool. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq then Miscellaneous->Start NetEq The bandwidth restriction on a pool may fluctuate a bit depending on the type of traffic. Heavy use of UDP traffic tends to run over the limit, and heavy TCP/IP (FTP for example) will tend to be held below the limit. In NetEqualizer Software Update 4.5 and above, Bandwidth Pools can number from 1 to 300; up to 300 different bandwidth pools per NetEqualizer (for previous versions the number is limited to 40). Note: Tips on fine tuning the behavior of Bandwidth Pools can found in Appendix 3.
Setting Hard Limits by VLAN

(back)
If you utilize VLANs on your network, you can set up your bandwidth limit rules to utilize your predefined VLANs. To set up a VLAN Hard Limit From the Web GUI Main Menu, Click on ->Add Rules->VLAN Hard Limit Select a VLAN id from 1 to 2000. Set the incoming bytes per second. Set the outgoing bytes per second. This will create a shaping rule and cause the NetEqualizer to enforce your rate limit such that the aggregate bandwidth usage of all current VLAN users will not exceed the values selected for incoming and outgoing bytes per second. In addition to enforcing the VLAN rate limits, the NetEqualizer will perform Equalizing across all users on the VLAN when Default Rules are on. This works similarly to Bandwidth Pools, in that "virtual equalizing" is applied across all users on a VLAN. For example, if you set the download limit on a specific VLAN to 192,000 bytes per second (T1) and the VLAN usage level reaches 85 percent, the NetEqualizer will begin to penalize any connection exceeding the value of HOGMIN within the VLAN.
User Guide
Large VLANs (>=10Mbps) In software update 4.7 and above, VLAN Limits were enhanced for Large VLANs (>=10 Mbps). We have smoothed our rate limits so that packets are slowed down progressively before dropping packets. In order to implement this feature, you will need to run a tuning command. Please see our write-up on how to do this in Appendix 3. Note: If you limit by VLAN, you should not set up Hard Limits by IP that cross over the same range of IP addresses.
Setting Hard Limits by MAC address

(back)
MAC addresses are the unique identifiers of Ethernet cards on user or client machines. Usually the MAC address of an Ethernet card is printed on the card. When NetEqualizer shapes traffic by MAC address, it limits traffic to and from a specific host based on the MAC address located on the Ethernet card of the host. To set up a Hard Limit by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Add MAC Limit Note: You also need to start MAC shaping, once all your Hard Limits by MAC address are in place. From the Web GUI Main Menu, Click on ->Shape by MAC->(Re)start MAC shaping To remove a Hard Limit by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Remove MAC Limit Note: You also need to restart MAC shaping, once your removal is complete. From the Web GUI Main Menu, Click on ->Shape by MAC->(Re)start MAC shaping To view all of your Hard Limits by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Show MAC Limits To stop hard limiting by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Stop MAC shaping This command will turn off all your MAC Hard Limits. Note: We recommend using Hard Limits by IP address instead of shaping by MAC address. This is due to the fact that MAC addresses in many cases do not make it through Routers or Access Points. Most of the time you would only see the address of the Router or Access Point, which would not enable you to shape down to the user level on your network.
Removing Bandwidth Priority or Limiting Rules

To remove Connection Limits, Hard Limit by IP, Masks, Priority Hosts, VLAN Hard Limits, or Members of a Pool From the Web GUI Main Menu, Click on ->Remove/Deactivate Rules Select the appropriate shaping rule from the drop-down boxes. Click on ->Remove Rule
User Guide
Bandwidth Usage
Bandwidth Usage features encompass defining how much bandwidth to give a user over a specified time period (setting user quotas), how to handle unauthorized access attempts (MAC redirection), and ensuring that local network traffic is not equalized (masks). 1. Setting User Quotas 2. MAC Redirection 3. Masks - Define bandwidth usage limits for a time period. - Define authorized MACs on your network. - Local traffic hidden from NetEqualizer.
Setting User Quotas (User-Quota API)

(back)
NetEqualizer software update 4.5 and above enables you to develop a system to enforce quota bandwidth limits for your customers, by tracking usage over time across an IP address or set of IP addresses. This functionality is provided via the NetEqualizer UserQuota API (NUQ API) Programmer's Toolkit. Other industry terms for this process include bandwidth allotment, and usage-based service. Background Prior to the 4.5 release, we provided a GUI-based user limit tool, but it was discontinued with release 4.0. The GUI tool did not have the flexibility for application development and was inadequate for customizations. The NetEqualizer User-Quota API (NUQ API) programmer's toolkit is our replacement for the GUI tool. The motivation for developing the toolkit was to allow ISPs, satellite providers, and other Internet management companies to customize their business processes around user limits. The NUQ API is a quick and easy way to string together a program of actions in unique ways to meet your needs. However, it does require basic programming/Linux skills.
Terms of Use
APconnections, the maker of the NetEqualizer, is an OEM manufacturer of a bandwidth shaper. The toolkit (see Appendix 6) provides short examples of how to use the NUQ API to get you started developing a system to enforce quota bandwidth limits for your customers. You are free to copy/paste and use our sample programs in the programmer's toolkit to your liking. However, NUQ-API questions and support are not covered in the normal setup of the NetEqualizer product (NSS) and must be negotiated separately. Please call 303.997.1300 x103 or email sales@apconnections.net to set up a support contract for the NUQ API programmer's toolkit. Once you have upgraded to version 4.5 and have purchased a current NSS, please contact APconnections for installation instructions. Once installed, you can find the tools available in the directory/art/quota. Starting the Quota Server In order to use the NUQ API programmer's toolkit, you must have the main quota server running.
User Guide
To start the quota server from the Linux command line From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command Then type: # /art/quota/quota & Once the quota main process is running, you can make requests using the command line API. The following API commands are available. To see an example of how to use these commands, please reference Appendix 6.
NUQ API Commands # /art/quota/quota & Use MUST BE RUN FIRST. To start the quota server from the NetEqualizer command line. quota_create
To start tracking data for a block (subnet) of IP addresses in a range. To remove a block of IP addresses from the quota system.
To set an alarm when an IP address reaches a defined limit. Alarm notifications will be reported in the log /tmp/quotalog. To remove all alarms in effect on the specified subnet. Will reset the usage counters for the specified subnet range To show the current usage byte count for the specified IPs in the range to the console. The usage counters must be initiated with quota_create command. Will also put usage statistics to the default log /tmp/quotalog. To display all current quota rules in effect. Used to set a Hard Limit on an IP address or set of IP addresses. This would be the normal response should a user exceed their quota. HARD is a constant that specified the type of operation. In this case, HARD indicates "hard limit".
quota_remove
quota_set_alarm quota_remove_alarm quota_reset_ip quota_status_ip
quota_rules ADD_CONFIG HARD
REMOVE_CONFIG HARD QUOTALOG
Used to remove a Hard Limit on an IP address or set of IP addresses. Various status messages will get reported along with ALARMs and usage statistics
We will be adding more examples and features in the near future. Please e-mail support@apconnections.net with feature requests and bug reports on this tool.
MAC Redirection
(back)
MAC Redirection is used to define MAC addresses that are authorized to be on your network. Any undefined MAC address is considered unauthorized and will be either:
User Guide
1) "redirected" to a website of your choosing, or 2) dropped. To set up MAC redirection From the Web GUI Main Menu, Click on ->Shape by MAC->Setup MAC Redirect You need to add ALL authorized MAC addresses (the MAC addresses you wish to allow on your network). Make sure to include your DNS servers in the allowed list. To set up all authorized MAC addresses From the Web GUI Main Menu, Click on ->Shape by MAC->Add MAC to macs.allow Note: Each MAC and associated name or description must be unique. To remove a MAC address from your authorized list From the Web GUI Main Menu, Click on ->Shape by MAC->Remove MAC in macs.allow Any time you add or remove an authorized MAC address, you will need to restart the NetEqualizer Firewall for the change to take effect. From the Web GUI Main Menu, Click on ->Firewall->Start or Restart firewall At this point only the authorized MAC addresses will pass through the system, the rest will be blocked. When enabled, MAC redirection looks at the macs.allow file when an outgoing connection is made from your network out to the Internet. If the user has a browser active, and the MAC address is unauthorized, it will drop the connection, unless you have redirected their browser to a website of your choosing. To select the website to redirect to From the Web GUI Main Menu, Click on ->Firewall->Sample Firewall Rules You will find examples of setting up Redirection under this tab. Should you need assistance please call our Support Team at 303.997.1300 x102 or email support@apconnections.net. However, MAC Redirect questions and support are not covered in the normal setup of the NetEqualizer product (NSS) and must be negotiated separately. Redirection to a web site is typically done to inform unauthorized users how to subscribe to your network or who to contact about your network and its use. You can also elect to just drop all unauthorized MACs, instead of redirecting them.
Masking Off Traffic

(back)
The masking features on NetEqualizer are intended to exclude Local Traffic crossing the NetEqualizer link from being considered for any shaping decisions. Masked traffic is invisible to the NetEqualizer. If you are utilizing the NetEqualizer to shape Internet Traffic going across your link, you should use the MASK feature to exclude Local Traffic (i.e. a computer talking to a server on your network). Masking should not be used to prioritize traffic. Priority Hosts should be used to prioritize traffic, such as important video streams. Do not use the MASK feature. There are two types of masking, paired and absolute. A host or subnet assigned as a
User Guide
paired mask will only be ignored if it is talking to another host or subnet that is also registered as a paired mask. By design, a Paired Mask will cause NetEqualizer to ignore hosts talking to other paired mask hosts, while at the same time subject the same hosts to NetEqualizer's bandwidth shaping rules if they make a connection with a server on the Internet. Absolute Masks ignore all traffic to or from the masked host or subnet regardless of the connection. To set up a Paired or Absolute Mask From the Web GUI Main Menu, Click on ->Add Rules->Mask Masks can be set for an individual IP address, an entire subnet, or any legal subnet value 1-32. Note: In most cases, you will not need to use masking. NetEqualizer is typically setup on your Internet link, and does not see Local Traffic.
User Guide
Monitoring and Reporting
NetEqualizer provides both real-time and historical reporting, in tabular and graphical formats. This enables you to see data in a format that is most meaningful to you, over a variety of timeframes. Real-time reporting enables you to see what is going on in your network at this moment, in order to actively monitor and manage your network usage. We offer several reports that provide real-time visibility: 1) Instantaneous Bandwidth Usage, 2) Active Connections, 3) the NetEqualizer Log, and 4) Show MAC address for active IPs. Historical reporting provides you a view into the trends of bandwidth usage on your network across time. This can help you in network design and planning activities, as well as to determine if your bandwidth level requirement is stable or increasing. Historical reporting is available via ntop, an open-source reporting tool that provides reports in both tabular and graphical formats. Note: You can store and view up to one (1) month of data on the NetEqualizer, if you are running version 4.5 or greater. To view additional history, you can set up a process to dump data periodically to a separate ntop server. Real-time Reporting 1. Instantaneous Bandwidth Usage - View bandwidth usage at this moment for a specified IP address. 2. To view Active Connections - View current live data streams (IP address pairs) on your network. 3. Show the NetEqualizer Log - View the NetEqualizer Log file. 4. Show MAC address for active IPs - View associated MAC address for active IP address connections. Historical Reporting 5. Graphical Reporting 6. NetEqualizer Data Warehouse 7. Sync with Internet Time - Use ntop (open source reporting tool) to generate graphs. Ntop is not available on the NETEQ-POE unit. - Create a periodic dump of NetEqualizer data to run ntop reporting for > 1 month of history - Change NetEqualizer to use NTP
Real-time Reporting
These reports are available to help you see what is going on in your network at the present moment.
To view Instantaneous Bandwidth Usage

(back) Curious about how much bandwidth a particular IP address, Pool, or VLAN is utilizing on your network? Instantaneous Bandwidth Reporting enables you to query in real-time right from the NetEqualizer Web GUI. This enables you to measure a customers current bandwidth utilization by IP, VLAN or Bandwidth Pool, allowing you to actually see usage at this very moment, including any bursting that you have set-up on an IP address. This instant bandwidth reporting feature is an industry first.
User Guide
One of the things that we have noticed with reporting tools lately, including ntop (the reporting tool we integrate), is that there is no easy way to show instant bandwidth for a user. Most reporting tools smooth out usage over some time period, a 5 minute average is the norm. When is an Instant Bandwidth Reporting Tool useful? 1) The five minute average reporting tool is of little use when a customer calls and tells you they are not getting their expected bandwidth on a speed test or video. In these cases it is best to see the instant report while they are consuming the bandwidth, not averaged into a 5 minute aggregate. 2) If a customer has a fixed rate cap, and calls and reports that their VOIP is not working well. The easiest and quickest way is to check what their consumption is during a VOIP call is to see it now. You dont need a fancy protocol analyzer to tell them they are sucking up their full 1 megabit allocation with their file download specifically. You just need to know that their line is clear and that they are consuming the full megabit at this instant. To view instantaneous bandwidth From the Web GUI Main Menu, Click on >Reports & Graphing->Show Instant report You can run the command multiple times by typing in a value greater than 1.
Results will show last second usage in two lines: bandwidth down (inbound) and bandwidth up (outbound).
User Guide
To view all Active Connections
(back) Active Connections shows the data streams (pairs of IP addresses) that are currently live on your network. As the NetEqualizer is typically shaping an Internet connection, this will show all active Internet connections your NetEqualizer is currently seeing. You can utilize this report to see what data streams are "hogging" your network by looking at the Wavg value. Wavg values over HOGMIN will be equalized when your network is congested. To view all active internet connections From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections Note in this example below that index #s 0-2, 22-24, and 26-28 are network hogs, as their Wavgs are quite large.
User Guide
The Active Connections Report contains the following fields: Field Header Definition
Index SRCP DSTP Wavg Avg IP1 IP2 Ptcl Port Pool Table row # The source port for this connection The destination port for this connection (the service being requested http, FTP, etc.) A weighted average of total bytes on this connection per second for the last eight seconds The average in bytes per second since this IP pair came into the table Source IP address Destination IP address The protocol (ICMP, TCP/IP, UDP) Inbound (value = 1) or Outbound (value = 0). Pool #. Default is 0 (no bandwidth pools set-up). Otherwise, bandwidth pool #. If you have VLANs set-up, this will show the VLAN #.
Show the NetEqualizer Log File

(back) The NetEqualizer Log File contains a record of the actions of the NetEqualizer. To view the NetEqualizer Log. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show the Log You will see the last 25 lines of the NetEqualizer Log file. In the NetEqualizer Log File, you will see three main types of entries, discussed below: 1) Traffic UP and DOWN 2) PENALTY Entries 3) PENALTY THRESHOLD - Traffic flowing on your network in bytes/second. - Actual penalties being applied. Contains the word PENALTY followed by two IP addresses. - For informational purposes only. These are not penalties being applied.
1) Traffic UP and DOWN Approximately every twenty seconds, the NetEqualizer Log will contain a date and time stamped entry for traffic UP (outbound) and traffic DOWN (inbound). This is instantaneous bytes per second of traffic in each direction flowing on your network. 2) PENALTY Entries A PENALTY entry means that NetEqualizer has decided that a communication link between two IP addresses (a connection) is using too much bandwidth, and so NetEqualizer has levied a PENALTY against this connection. The penalty causes all data on this connection to slow down by PENALTY_UNIT. If this connection continues to use too much bandwidth, NetEqualizer will increase the amount of this delay, up to your MAX_PENALTY.
User Guide
3) PENALTY THRESHOLD per Bandwidth Pool (informational only) The PENALTY THRESHOLD shows the threshold where penalties will occur, by bandwidth pool. If no bandwidth pools are defined, the default pool 0 (entire network trunk) will be displayed. When the trunk (or bandwidth pool) is not congested the Up and Down values are simply your defined trunk (bandwidth pool) size. When congestion is occurring, UP and DOWN are the values used to determine how much traffic a user (connection) has to pull to be eligible for a PENALTY. The smallest this value can be is HOGMIN. Note: PENALTY_THRESHOLD lines are NOT actual penalties being applied to your network. See #2, PENALTY entries, for actual penalties on your network. Sample NetEqualizer Log File Below is an example of a NetEqualizer Log File. Yours may differ slightly, depending on your NetEqualizer model. In this example, penalties are being taken off traffic where it says "PENALTY REMOVE". Penalties are being applied where it says "PENALTY". You may also see "INCREASE PENALTY" and "PENALTY DECREASE" in your log, which both show how penalties are being applied to traffic. If you are under RATIO on your network, you will not see penalties being applied. Note: The line with the words PENALTY THRESHOLD is NOT a penalty. It is for information purposes only.
User Guide
Show MAC address for Active IPs
(back) To view all active IP addresses and their associated MAC address. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show Get MAC IP You will see a two column report Column #1: all active IP addresses in 0.0.0.0 format Column #2: associated MAC address 0.0.0.0.0.0 format The report shows MAC addresses for IP addresses that have current active connections on your network. It is not intended to be inclusive of all MAC addresses on your network.
Historical Reporting
These reports are available to help you to identify trends of bandwidth usage on your network across time.
Graphical Reporting
(back) The NE2000, NE3000, and NE4000 series all come configured to run ntop, an open source reporting tool that has excellent graphics and tables for generating detailed reports. If you are not familiar with ntop, and would like to learn more, you can read an overview on their website at http://www.ntop.org/overview.html. We are continuing to strengthen our reporting capabilities for the NetEqualizer 2000 series and above. In software update 4.5 and above, we significantly increased the RAM disk size used to run ntop reporting over what we used in previous releases. This will enable most users to keep 1 month or more of data locally on the RAM disk. You may be able to store even more history, depending on your network size and traffic level. This change also increases the lifespan of the Compact Flash (CF). If you are on an older version of the software, we highly recommend that you upgrade to 4.5 or above, to take advantage of running ntop in a RAM disk. To upgrade, contact our Support Team at 303.997.1300 x102 or email support@apconnections.net. Notes: For NetEqualizer units shipped prior to December 2005, additional memory must be added before using NTOP with an updated software version.
User Guide
The NetEqualizer Lite (NETEQ-POE) no longer offers ntop reporting. Due to the small form factor of the NetEqualizer Lite, we are unable to run ntop on a RAM disk. Starting ntop In order to use ntop reporting, you must first start ntop. From the Web GUI Main Menu, Click on >Reports & Graphing->Start ntop The following screen appears with "Starting ntop". Once ntop is started, you will see a final line "Done."
Note: If you run this command and ntop has already been started, the message on the screen will say "ntop is already running".
Start ntop automatically when your NetEqualizer is rebooted

To start ntop upon reboot. From the Web GUI Main Menu, Click on ->Miscellaneous->Edit autostart Type in the following command as the last line: /etc/init.d/ntop start Viewing ntop reports Once ntop is started, you can view reports Typically, you will need to wait 15-20 seconds to make sure that the program is up & running. From the Web GUI Main Menu, Click on >Reports & Graphing->View ntop reports Click on the link to open ntop reports.
User Guide
You will see the following main ntop screen. Click on any of the menus to use ntop. Most useful for reporting are: 1) Summary Tab 2) IP Tab
Recommended ntop reports

Below we list several of the most preferred ntop reports. Note: Almost all ntop pages tell you at the bottom the period covered by the report. In general, this will be for the entire time ntop has been running.
1) ntop Summary Hosts Report (Summary Tab) This report shows all IP addresses and the bandwidth that they are consuming. Useful in identifying IP addresses that are your large bandwidth hogs.
User Guide
2) ntop Summary Traffic Report (Summary Tab) Good report for those that like to see charts depicting network traffic.
3) ntop IP Summary Traffic Report (IP Tab) Shows traffic by IP in amount of data (KB) and percentage of your overall network used. Quantifies type of traffic (http, ftp, proxy, snmp, Kazaa, Gnutella, etc.)
Ntop default Administrative Username & Password Please contact our Support Team at 303.997.1300 x102 or email support@apconnections.net if you feel that you need the administrative username and password for ntop . First, you need to understand several things before administering ntop: 1) There are a few hundred configuration options in ntop and its plug-in system. If you alter the settings, it is difficult to get back to our default setup. 2) The netflow and rrdPlugin plug-ins must both be running. 3) Do not setup your own devices in ntop. 4) Never toggle on DNS resolution within ntop or you run the risk of filling up your RAM disk.
User Guide
If you do get ntop in a state that you cannot resolve, then your best option to fix it is to get a new software image file, by contacting our Support Team at 303.997.1300 x102 or emailing support@apconnections.net. You will need to have purchased NSS for your unit. Stopping ntop We suggest stopping ntop when you are not using it. There is no reason to run it if you are not going to look at it but once a year. From the Web GUI Main Menu, Click on >Reports & Graphing>Stop ntop reports The following screen appears with "Stopping ntop". Once ntop is stopped, you will see a final line "Done." Resetting ntop data Resetting ntop data is used to clear your data out of RAM memory. From the Web GUI Main Menu, Click on ->Reports & Graphing->Reset ntop files Note: You do not need to reset ntop data when you are done using ntop.
Creating an ntop data warehouse to report on > 1 month history

(back) If you want to report on even more history, or already have a separate reporting server, you can dump data periodically from the NetEqualizer to load your data warehouse/reporting server. Contact our Support Team at 303.997.1300 x102 or email support@apconnections.net to get detailed instructions on how to dump NetEqualizer data from ntop onto a separate server.
Setting up NetEqualizer to use your ntp Time Server

(back) Over time the NetEqualizer time will drift, like any server. You can configure the NetEqualizer to use your own ntp Time Server. The enclosed instructions assume that you are on a version of the NetEqualizer that has the "Edit any text file" command available under the Miscellaneous menu. Note: If you do not see Miscellaneous/Edit any text file, then you will need to edit the /root/settime.sh and /root/crontab files from the command line or SSH with a text
User Guide
editor, adding the commands included in the instructions below. Note: You must stop ntop before changing the time on your NetEqualizer. Otherwise ntop will not function to create graphs. If you have questions on this set up process, or would like to set up your NetEqualizer to use an Internet time server directly, please contact our Support Team at 303.997.1300 x102 or email support@apconnections.net. To Set Your NetEqualizer To Use Your NTP Time Server: 1. From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command touch /root/settime.sh;chmod a+x /root/settime.sh 2. Then, Click on ->Miscellaneous->Edit any text file /root/settime.sh 3. Put the following lines in the settime.sh file (which is currently blank) and then post the changes: /usr/sbin/ntpdate xx.xx.xx.xx /sbin/hwclock --localtime --systohc Where xx.xx.xx.xx is replaced with your actual ntp time server 4. Click on -> Miscellaneous->Edit any text file /root/crontab Change the line (by removing the two hash marks "##"): ## */5 * * * * /root/settime.sh to: */5 * * * * /root/settime.sh Post the changes to the file 5. From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command crontab /root/crontab 6. In order for this to persist on restarts, you must add to the autostart file as well. Click on ->Miscellaneous->Edit autostart On a new line right above the line that says thedate=`date`, add the following: crontab /root/crontab
User Guide
Tips and Tricks
This section of the User Guide contains some simple tips and tricks. For a list of Advanced Tips and Tricks, recommended for NetEqualizer power users, please click on the link to go to our NetEqualizer News blog site.
How to Enable Speed Tests

In order to ensure that speed test sites are not equalized, you can give them priority treatment on your network. This is done through setting up each speed test site as a Priority Host. To set up a Priority Host, also known as a Priority IP Address From the Web GUI Main Menu, Click on ->Add Rules->Priority Host
Testing Bandwidth Limiting Rules on the NetEqualizer

Because NetEqualizer adjusts to traffic over several seconds, attempts to set limits on short traffic bursts will have limited affect. NetEqualizer is designed to allow short bursts of traffic through. For most users, allowing these bursts is the desired effect. Short bursts have relatively little effect on overall traffic and should be given priority. When you do your initial testing on Bandwidth Limits (bandwidth limiting rules), use file transfers that persist for more than 15 seconds to allow NetEqualizer to come to a steady rate of data transfer.
What to Expect for your Bandwidth Limit Precision

Note: This assumes that you are NOT already using bursting on your bandwidth limits. NetEqualizer is designed to do a good job over time (five minute averages) of keeping bandwidth within specification. However, the NetEqualizer will allow some bursts through. As NetEqualizer takes a few seconds to adjust to changing traffic situation, if you are testing with one or two large downloads, the bursts will be more pronounced than traffic on a busy network. Some tuning may be required to override the background shaping rules (which may be more restrictive than your desired limits). On higher speed networks, the default tuning in NetEqualizer may reduce traffic rates more than an acceptable margin of error (acceptable error margin to us is 10 percent; we do not claim to have billable quality rate limiting). We recommend reducing the size of your PENALTY_UNIT to compensate. Click on the link to go to the PENALTY_UNIT section of this document, where we offer detailed recommendations on tuning PENALTY_UNIT.
Sometimes its Not NetEqualizer

There are some live-streaming utilities that are all or nothing. As they get penalized,
User Guide
they compensate by sending bigger packets, and then they die and restart. As a result of this effect, you may see jumpy traffic flows when running simple tests with certain applications. Fortunately, the applications that react this way are typically streaming music applications that are not bandwidth intensive. Most of them try to hold steady at 56kbs or so. Streams in this range should not hit the penalty radar like P2P traffic, and will flow through the NetEqualizer smoothly. You should keep this in mind if you are using streaming music (i.e., Real Player) when you do your early testing. As always, the NetEqualizer will attempt to slow the stream gracefully. However, an all or nothing traffic stream will drop off quickly and then try to restart.
Security Precautions
Note: If you have installed your NetEqualizer inside your firewall, this does not apply to you. This tip is for customers that need to install the NetEqualizer outside their firewall, on the public side of their internet pipe. Firewall rules are provided to prohibit unauthorized users from accessing the NetEqualizer IP and thus SSH access and the NetEqualizer Web GUI screen. To set up the NetEqualizer Firewall From the Web GUI Main Menu, Click on ->Firewall->Edit firewall rules file Below is a section of this file that appears on the NetEqualizer GUI admin screen in a default system before any firewall rules are set. You can follow the instructions included in the comments to set up your NetEqualizer Firewall. # Uncomment and edit the following lines to allow certain computers to access the GUI #/sbin/iptables -A INPUT -s 192.168.1.100 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.101 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.20 -j ACCEPT # # Uncomment the following line to tell the firewall to drop everything else not in the lines above #/sbin/iptables -A INPUT -p tcp -j DROP If the network admin always uses IP address 140.32.22.5 when accessing the system, you could limit access to NetEqualizer with the following changes. Notice we have removed the # characters to activate the firewall rules. # Uncomment and edit the following lines to allow certain computers to access the GUI /sbin/iptables -A INPUT -s 140.32.22.5 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.101 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.20 -j ACCEPT # # Uncomment the following line to tell the firewall to drop everything else not in the lines above /sbin/iptables -A INPUT -p tcp -j DROP
User Guide
Backing up your NetEqualizer Configuration
While we include a backup CF card with each NetEqualizer shipped, this does not contain your custom configuration settings. After you have made changes to your configuration, to save your new NetEqualizer configuration From the Web GUI Main Menu, Click on ->Miscellaneous->Save NetEq config To back up your configuration, Click on the "Download Config" button. Save the NetEq.cfg file to a backup location.
Redundancy and Reliability

NetEqualizers bridge architecture fully supports network redundancy. If you would like to ensure that equalizing is in place at all times, you can put two NetEqualizers in your network in active/passive mode. NetEqualizer takes advantage of a mature feature already built into the Linux operating system called STP (spanning tree protocol). Two NetEqualizer's placed in parallel will automatically set up a master/slave relationship where one server will back the other. NetEqualizer's come pre-configured to take advantage of this feature. Once two NetEqualizers are in place, they will automatically failover in 30 seconds using spanning tree protocol (STP).
Failover
If you do not need full redundancy, but would like a failover solution to ensure that your network continues to function if your NetEqualizer goes down, you can configure a STPcapable switch to bypass the NetEqualizer. You can use your own switch or try our thirdparty STP-capable switch.
User Guide Appendix

Appendix 1- Parameter Settings, Units, and Defaults
Parameter Default What you can set Tips Value to Key Parameters to Set for Equalizing
RATIO TRUNK_UP Percentage Bytes per second 85 50-100 192000 (T1) Size of your outbound network pipe. Traffic from the LAN to the WAN (Internet). 192000 (T1) Size of your inbound network pipe. Traffic from the WAN (internet) to the LAN. 85% works for most networks. For >=1GB could be 90%. Convert Mbps or Gbps to Bytes per second. Conversion Formulas: = Mbps/8 * 1,000,000 =(Gbps*1,000)/8 * 1,000,000 Convert Mbps or Gbps to Bytes per second. Conversion Formulas: = Mbps/8 * 1,000,000 =(Gbps*1,000)/8 * 1,000,000 If you reset HOGMIN, make sure your HOGMAX is greater than HOGMIN.
Unit
TRUNK_DOWN
Bytes per second
HOGMIN
12000 For networks of size: (96 kilobits) <100Mb 12000 >=100Mb & <1Gb 20000 >=1Gb 40000 DEFAULT_RULES On/Off toggle On Leave at Default of "On". Turn off during installation if Must be "On" for you want to run throughput Equalizing to kick in. Uses tests. RATIO, HOGMIN, TRUNK_UP & TRUNK_DOWN to assess congestion.
Bytes per second
OPTIONAL Parameters to Set for Equalizing

MOVING_AVG MAX_PENALTY PENALTY_UNIT Number of 8 Seconds Hundredths of 140 seconds Hundredths of 5 seconds Cannot change from Default value. Rarely changed from Default value. For networks of size: < 5Mb 5-6 >=5Mb to <45Mb 2 - 3 >= 45Mbps 1 Should be greater than PENALTY UNIT and less than 200. The faster the trunk the less radical the PENALTY should be and PENALTY_UNIT will adjust that. For example, 10 would delay all packets by 1/10 of a second when a penalty is in effect. How many IP pairs to keep track of at one time during any given second. Should not need to change. How long to keep a penalty in effect. 1 (100) to 8 (800) seconds.
BRAIN_SIZE
ANCIENT INACTIVE_TICS
Number of Connections (IP pairs) to track in one (1) second. Seconds
10000
For networks of size: < 1Gb 10000 >=1Gb to <5Gb 20000 >=5Gb 30000 Rarely changed from Default value. 100-800
20
Hundredths of 200 seconds
User Guide Appendix

Appendix 2 - Setting/Forcing LAN Speeds and Duplex
Occasionally you need to manually set LAN Port Speed and Duplex in order for the NetEqualizer to operate at the expected port speeds and in the correct duplex mode. The NetEqualizer LAN ports auto-negotiate 95% of the time. However, the NetEqualizer may need to be manually set to work with some Routers or Switches. Symptoms that you need to set your LAN Port Speed and Duplex are that you are having collisions and/or dropping packets. Both these symptoms will make your network throughput less than expected. To Check Your Current Port Speeds: From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command to do the following. To see if your ports are dropping packets or having collisions, run: /sbin/ifconfig To see what your ports' details are run the following commands: /usr/sbin/ethtool eth0 and /usr/sbin/ethtool eth1 To Set Your Port Speed and Duplex Mode: ethtool -s DEVNAME \ [ speed 10|100|1000 ] \[ duplex half|full ] \ [ autoneg on|off ] Here are some examples to force a WAN interface to a certain speed and full duplex: /usr/sbin/ethtool -s eth0 speed 1000 duplex full autoneg off /usr/sbin/ethtool -s eth1 speed 1000 duplex full autoneg off To Put Your Port Speed and Duplex Mode in Auto Startup File (recommended): If you would like to put these commands in the Auto Startup file, you can put them into /art/autostart by editing the file from the console or SSH. Login as "root", using the default password, unless you changed it previously. Editing with the Web GUI (recommended): You can edit the Auto Start File with the Web GUI. From the Web GUI Main Menu, Click on >Miscellaneous->Edit autostart This screen should come up. To Save Your Changes: Click on the "Post Changes" button after you have inserted your
User Guide Appendix

commands at the bottom of the Auto Start File. To Revert to Previous Settings: Click on the "Reset" button and all changes from this session will be removed. Editing with Nano or vi text editor (for power users): You can also use nano or vi to edit the /art/autostart file. Start your editor by typing in the following: nano -w /art/autostart The command is formatted as follows: ethtool -s DEVNAME \ [ speed 10|100|1000 ] \ [ duplex half|full ] \ [ autoneg on|off ] At the very bottom of /art/autostart, put in your new command lines, such as: /usr/sbin/ethtool -s eth0 speed 1000 duplex full autoneg off /usr/sbin/ethtool -s eth1 speed 1000 duplex full autoneg off Use the backspace and delete and arrow keys just like in Notepad. Save with Ctrl-o and Enter and exit with Ctrl-x. There is a menu at the bottom of nano that shows these commands.
User Guide Appendix

Appendix 3 - Tuning Hard Limit, VLAN, and Pool Sensitivity
The Hard Limit by IP, Hard Limit by VLAN, and Bandwidth Pools Bandwidth Limiting rules in the NetEqualizer are factory set to be accurate in most environments. However, sometimes it is important to tune them more accurately. Hard Limits work by keeping track of how many bytes a connection has used every second. When a byte count approaches the limit for that second, a time delay is imposed on remaining packets. There are two options for tuning Hard Limit, VLAN, and Pool Sensitivity: 1. Fine Tuning Responsiveness 2. Fine Tuning Accuracy (for Large Pools, VLANs, and Hard Limits (>=10Mbps)) Fine Tuning Responsiveness The following command line allows you to set how responsive the Hard Limit and Bandwidth Pooling utilities will react in different situations. This is done by changing the amount of delay put on a connection once the allocation per second is exceeded. To set how responsive a Hard Limit, VLAN, or Pool is From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command Type the following command: /bridge/bridge-utils/brctl sethardval my <val> <Val> is the amount of delay put on a connection, and is factory-set to a default value of 110 hundredths of seconds. <Val> can be configured three different ways to handle combinations of UDP streams and TCP/IP streams. Note: Some UDP speed tests do not respond to delayed packets, while TCP streams can over-respond. 1. Change the Delay <val> To change the delay on TCP and UDP streams, <val> can be a number in the range 1-200. This will make all packets exceeding their hard limit quota delayed <val> hundredths of seconds. Note: the factory-set default is <val>=110. 2. Drop Packets when over Hard Limit To have the NetEq just drop packets when a user is over their 1 second quota, < val> can be set to 999999 This will cause all buffering to cease and packets to be dropped for both TCP and UDP packets when a hard limit is exceeded for a second. The next second the connection starts counting over. 3. Add a Buffer Time Or <val> can be a constant between 1 and 200 plus a buffer time constant (i.e. 1000000). So for example, you could set it to 1000140 for 140+1000000. The buffer time constant will be used to set a buffer time (hundredths of seconds) for TCP packets and drop UDP packets.
User Guide Appendix

Note: to make this Command persist through a re-boot it should be entered as a command in /art/autostart at the bottom of the file. From the Web GUI Main Menu, Click on ->Miscellaneous->Edit autostart Type the following command at the bottom of the file: /bridge/bridge-utils/brctl sethardval my <val> Fine Tuning Accuracy (Tuning for Pools, VLANs, and Hard Limits >=10Mbps) This feature is only available in software update 4.7 or higher. We have enhanced shaping for Large VLANs, Pools, and Hard Limits (>=10 Mbps). We have smoothed our rate limits so that packets are slowed down progressively before dropping packets. In order to implement this feature, you will need to run a tuning command. From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command For 10-20Mbps, type the following command: brctl setshaping my 1 1 2 5 For >20Mbps, type the following command: brctl setshaping my 1 1 1 8 If you have mixed sized Pools or VLANs, then you should just pick the settings for the largest Pool or VLAN. If your limits are still being enforced too aggressively, then increase and re-run the setshaping command, changing the last number (currently 5) to 7 or 8. Keep increasing this number, until you have an acceptable limit accuracy. What the command does: brctl setshaping my x1 x2 x3 x4 When trying to enforce a rate limit for a VLAN, Pool, or Hard Limit, the NetEqualizer measures the rate of transfer , how many bytes have gone by every 1/8 of second. If the byte transfer rate is going too fast, it adds x1/1000 latency to all packets in that Pool, VLAN, or Hard Limit. If after 1/4 second it is still going too fast, it adds x2/1000 in latency. If after 1/2 a second it is still going too fast, it adds x4/1000 latency. After 1/2 a second it waits for x4 packets, and if the rate is still too fast it will drop packets. Note: to make this Command persist through a re-boot it should be entered as a command in /art/autostart. From the Web GUI Main Menu, Click on ->Miscellaneous->Edit autostart Type the final command: brctl setshaping my 1 1 2 X (where X is the final number that you have defined) Remember to check the current capacity on POOL the command is: brctl getpeak my XXX where XXX is the POOL number.
User Guide Appendix

Appendix 4 - Packet Capturing for taps such as CALEA
NetEqualizer is a CALEA Probe
The NetEqualizer acts as a CALEA Probe via packet capturing & forwarding. We provide a network probe with the following capabilities:
It will allow an ISP or other operator to comply with a basic warrant for
information about a user by capturing and sending IP communications in real time to a third party. Communication may be captured by headers or headers and content. We provide basic descriptive tags identifying headers, data, and time stamps, along with HEX or ASCII representation of content data.
Note: The NetEqualizer does not do any analysis of the data. We are only providing a probe function.
CALEA Compliance
As best we can tell at this time, there is no one government agency that can fully declare our technology CALEA compliant. However, we do pledge to work with our customers should they be faced with a warrant for information to adjust and even customize our solution; however additional consulting fees may apply. Although the law (see CALEA sections 103 and 107(a)(2)) is fairly specific on what needs to be done, the how is not addressed to any level of detail to which we can engineer our solution. We believe that the law and specifications on "how" to deliver to a law enforcement agency are somewhat ambiguous. The FBI has created some detailed specifications, but the reality is that there are some 40,000 law enforcement agencies, and they are each given autonomy on how they receive data. We do provide samples (see below) on how to receive NetEqualizer-captured data on a third party server, but are unable to guarantee definite compliance with any specific agency. Many people are following the ATIS specification which was put forth by the FBI, and we have read and attempted to comply with the probe portion of that specification. But, the reality is that there is no one agency given the authority to test a solution and bless it as compliant. So, if faced with a warrant for information, the law enforcement agency in charge may indeed want something in a slightly different format. If this is the case, contact our Support Team at support@apconnections.net or 303.997.1300 x102 for help in complying. Please note that as the CALEA module is not covered under NSS, consulting charges may apply. Additional information on CALEA itself can be found at http://www.askcalea.org.
User Guide Appendix

Setting up the receiver for the tap (THIS MUST BE DONE FIRST):
1. Install netcat (nc) onto a computer Netcat can be installed on Ubuntu or Debian with: apt-get update apt-get install netcat Netcat can also be installed on Windows by finding the Windows version on the Internet and installing it. 2. Set up the port to listen on On the receiving computer, run the command line of: nc -l -p XXXXX where XXXXX is the port you want to listen on, and that you setup on the NetEqualizer to send on. 3. (Optional) Pipe results to a File Netcat can be piped to a file using the > and | like any other command.
Setting up the NetEqualizer to Capture Packets (THIS MUST BE DONE SECOND):

To set-up packet capturing on the NetEqualizer From the Web GUI Main Menu, Click on ->Miscellaneous->Start Packet Capture As packet capturing takes up both memory and CPU on the NetEqualizer, we recommend that you turn it off when you are done with your packet capture. When you are done with packet capturing on the NetEqualizer From the Web GUI Main Menu, Click on ->Miscellaneous->Stop Packet Capture
User Guide Appendix

Appendix 5 - Network Access Control (NAC)
The NetEqualizer Network Access Control (NAC) module is an add-on module to the NetEqualizer that enables you to restrict and (optionally) charge for usage on your network. The NetEqualizer NAC module is a captive portal controller built into the NetEqualizer. When activated, it will authenticate new users as they attempt to access your network.
NAC Key Features:

Radius Integration The NetEqualizer NAC module will contact a Radius server when a user tries to acquire access to your network. Radius server must be set up separately. Note: At this time, the NAC module requires integration to Radius. User Authentication We will work with you to customize how this is set-up for your environment. We find that this has typically been implemented in one of two ways: 1) by IP address, or 2) by User ID and Password. Classes of Service Use Hard Limits by IP or Pools along with the NAC Module to enforce a rate limit for individual customers. In this way, you can price and offer multiple levels of service. Re-direction of Unauthorized Users Unauthorized users can be redirected to a login or payment page of your design. You do not need a separate web server to implement this feature. Group Licenses Available with user id authentication. Multiple simultaneous users can share a login ID (for conferences or other events hosted on your network).
The NAC module is priced as a separate option, and runs concurrently on most standard NetEqualizer appliances. When activated, it will force unknown users to login for access to your network. The NAC module will not run unless it is factory-enabled. If you have an older system and wish to upgrade, contact our Support Team at support@apconnections.net or 303.997.1300 x102, and they can help you determine if NAC can be enabled on your system. There are two ways to restrict access to your network using the NAC module. 1. Manual Account Creation Administrators of the NetEqualizer can manually create accounts for users through
User Guide Appendix

the administrative interface. An account is defined by a user id and can be shared by 1 or more users. The number of simultaneous users allowed to share an account can be defined when the account is created. When multiple users share an account, the NAC module keeps track of how many users are logged in. If the number of logins exceeds the account limit, additional users will be denied access. A session is considered "active" if there is activity within the last 10 minutes. Inactive sessions will be automatically logged out. The inactivity time limit value is configurable. 2. Automated Account Creation The second option for creating an account is automated creation. This option is designed cases where users can sign up on the fly, such as at hotspots, for access with a credit card.
How User Accounts are Enforced

1) Each user account requires a Login ID (and an optional password). The default system does not require a password. The reason for eliminating the password in the default setup was the desire to streamline and simplify system administration. The NAC is not meant to protect sensitive data in any way, it is simply restricts access to your network. Since the NAC system limits the amount of simultaneous user sessions, it would NOT be in the interest of a paying customer to give out their Login ID. Using a simple Login ID also ensures that Users will pick something simple that they are less likely to forget, hence, less administrative overhead without complex password recovery support. If you would like to use passwords, you can enable this feature. 2) Accounts are activated for a time period by hours or days. Timing is based on Calendar time (not a meter). 3) Administrators have full access to account records and may extend the time period upon request. 4) The NAC module will allow the administrator to set up a data rate associated with each account thus allowing different classes of service. 5) For flexibility purposes, user accounts are controlled by IP address.
User Guide Appendix

Each time a user logs in, the NAC records the user's IP address. The administration screen menu contains a report option for showing currently active sessions. This report will also display the current IP addresses associated with all active user sessions. 6) The NAC will time out inactive sessions (selectable time out period) for cases where users do not have a persistent IP (they can login with a new IP). 7) MAC authentication for access is not currently supported via the NAC module.
User Guide Appendix

Appendix 6 - NetEqualizer User-Quota API (NUQ API) Programmer's Toolkit
The following article serves as the programmer's toolkit for the new NetEqualizer UserQuota API (NUQ API). Other industry terms for this process include bandwidth allotment, and usage-based service. The NUQ API toolkit is available with NetEqualizer release 4.5 and above and a current software subscription license (NSS).
Step 1: Start the Quota Server

In order to use the NUQ API programmer's toolkit, you must have the main quota server running. To start the quota server from the Linux command line, you can type: # /art/quota/quota &
Step 2: Run commands via command line API

Once the quota main process is running, you can make requests using the command line API. The following API commands are available: ______________________________________________________________________
quota_create
Usage: quota_create 102.20.20.2/24 Will cause the NetEqualizer to start tracking data for a block (subnet) of IP addresses in the range 10.20.20.0 through 10.20.20.255. ______________________________________________________________________
quota_remove
Usage: /art/quota/quota_remove 102.20.20.2/24 Will remove a block of IP addresses from the quota system.
Note: You must use the exact same IP address and mask to remove a block as was used
to create the block. ______________________________________________________________________

quota_set_alarm
Usage: /art/quota/quota_set_alarm 102.20.20.2/17 <down limit> <up limit> Will set an alarm when an IP address reaches a defined limit. Alarm notifications will be reported in the log /tmp/quotalog see the sample programs below for usage.
Note: All IPs in the subnet range will get flagged when/if they reach the defined limit.
The limits are in bytes transferred. Alarm notifications are reported in the quotalog /tmp/quotalog see example below. ______________________________________________________________________
quota_remove_alarm
Usage: /art/quota/quota_remove_alarm 102.20.20.2/17 Will remove all alarms in effect on the specified subnet. Note: The subnet specification must match exactly the format used when the alarm was created -- same exact IP address and same exact mask.
User Guide Appendix

______________________________________________________________________
quota_reset_ip Usage: /art/quota/quota_reset_ip 102.20.20.2/17
Will reset the usage counters for the specified subnet range ______________________________________________________________________
quota_status_ip
Usage: /art/quota/quota_status_ip 102.20.20.2/24 Will show the current usage byte count for the specified IPs in the range and display this on the console. The usage counters must be initiated with quota_create command. Will also put usage statistics to the default log /tmp/quotalog. ______________________________________________________________________
quota_rules
Usage: /art/quota/quota_rules Will display all current rules in effect ______________________________________________________________________

ADD_CONFIG
Usage: /art/ADD_CONFIG HARD <ip> <down> <up><subnet mask> <burst factor> Used to set rate limits on IP's, which would be the normal response should a user exceed their quota. Parameter definitions: HARD <ip> <down> <up> Constant that specifies the type of operation. In this case HARD indicates "hard limit". The IP address in format x.x.x.x Is the specified max download (inbound) transfer speed for this ip in BYTES per second, this is not kbs. Is the specified upload (outbound) transfer speed in BYTES per second
<subnet mask> Specifies the subnet mask for the IP address. For example, 24 would be the same as x.x.x.x/24 notation. However, for this command the mask is specified as a separate parameter. <burst factor> The last field in the command specifies the burst factor. Set this field to 1 (no bursting) or to a multiple greater than 1 (bursting). BURST FACTOR is multiplied times the <down> and <up> HARD LIMITs to arrive at the BURST LIMIT (default speed you wish to burst up to). For example 2Mbps <down> HARD LIMIT x 4 BURST FACTOR = 8Mbps <down> BURST LIMIT. _____________________________________________________________________
REMOVE_CONFIG
Usage:
/art/REMOVE_CONFIG HARD x.x.x.x
Where x.x.x.x is the base IP address used in the ADD_CONFIG HARD command. No other parameters are necessary on the removal of the rule.
User Guide Appendix

_____________________________________________________________________
To view the Log:
Usage: /tmp/quotalog Various status messages will get reported along with ALARMs and usage statistics _____________________________________________________________________
Examples and a Sample Session
Note: This example assumes that you have Linux shell and Perl knowledge. From the command line of a running NetEqualizer: 1. First, start the quota server.
root@neteq:/art/quota# /art/quota/quota & [1] 29653 #
2. Then issue a command to start tracking byte counts on the local subnet. For this example, there is background network traffic running across a test NetEqualizer.
root@neteq:/art/quota# ./quota_create 192.168.1.143/24 Created 192.168.1.143/24 root@neteq:/art/quota#
This command told the quota server to start tracking bytes on the subnet 192.168.1.* 3. To see the transferred current byte count on an IP address, you can use the status_ip command.
root@neteq:/art/quota# ./quota_status_ip 192.168.1.143/24 Begin status for 192.168.1.143/24 status for 192.168.1.255 start time = Fri Apr 2 21:23:13 UTC 2010 current date time = Fri Apr 2 21:55:28 UTC 2010 Total bytes down = 65033 Total bytes up = 0 status for 192.168.1.119 start time = Fri Apr 2 21:54:50 UTC 2010 current date time = Fri Apr 2 21:55:28 UTC 2010 Total bytes down = 3234 Total bytes up = 4695 End of status for 192.168.1.143/24 root@neteq:/art/quota#
Yes, the output is a bit cryptic, but everything is there. For example, the start time and current time since the data collection started on each IP address (192.168.1.255 and 192.168.1.119) in the subnet. 4. Now let's say we wanted to do something useful when a byte count or quota was exceeded by a user. a. First, we would set up an alarm. root@neteq:/art/quota# ./quota_set_alarm 192.168.1.143/24 10000 10000
User Guide Appendix

alarm block created for 192.168.1.143/24 We have now told the quota server to notify us when any IP in the range 192.168.1.* exceeds 10000 bytes up or 10000 bytes down. If an alarm is raised, the next alarm will occur at twice the original byte count. In the example above, we will get alarms at 10,000, 20,000, 30,000 and so forth for all IPs in the range. Obviously, in a commercial operation, you would want your quotas set much higher, probably in the gigabyte range. b. Now that we have alarms set, how do we know when they happen and how can we take action? Just for fun, we wrote a little perl script to take action when an alarm occurs. So, here is the perl script code, followed by an example of how to use it.
root@neteq:/art# cat test #!/usr/bin/perl while ( 1) { $line = readline(*STDIN); print $line; chomp ($line); @foo=split(" ", $line); if ( $foo[0] eq "ALARM") { print "send an email to somebody important here \n"; } }
First, save the perl script off to a file. In our example, we save it to a file /art/test c. Next, we will monitor the /tmp/quotalog for new alarms as they occur. When we find a new alarm, we will print the message "send an email to somebody important here". To actually send an email you would need to set up an email server and call the command line smtp command with your message. We did not go that far here. Here is how we use the test script to monitor the quotalog (where ALARM Messages get reported).
root@neteq:/art# tail -f /tmp/quotalog | ./test Log Reset ALARM 192.168.1.119 has exceeded up byte count of 160000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 190000 send an email to somebody important here ALARM 192.168.1.119 has exceeded up byte count of 170000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 200000 send an email to somebody important here ALARM 192.168.1.119 has exceeded up byte count of 180000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 210000
User Guide Appendix

send an email to somebody important here ALARM 192.168.1.119 has exceeded up byte count of 190000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 220000 send an email to somebody important here
5. Now, what if we just want to see what quota rules are in effect? Here is a sequence where we create a couple of rules and show how you can status them. Note: There is a subtle difference between the command quota_rules and quota_status_ip. quota_rules will show all IP addresses with rules on them, whether they have active traffic or not. quota_status_ip shows IP addresses that are part of the rule and have active traffic (are actively counting bytes). A rule does not become active (show up in quota_status_ip) until there are actually bytes being transferred. root@neteq:/art/quota# ./quota_create 192.168.13.143/24 Created 192.168.13.143/24 root@neteq:/art/quota# ./quota_rules Active Quotas --------------192.168.13.143/24 Active Alarms ---------------root@neteq:/art/quota# ./quota_set_alarm 192.168.11.143/24 20000 20000 alarm block created for 192.168.11.143/24 root@neteq:/art/quota# ./quota_rules Active Quotas --------------192.168.13.143/24 Active Alarms ---------------192.168.11.0/24 root@neteq:/art/quota# That concludes the NetEqualizer User-Quota API (NUQ API) programmer's toolkit for now. We will be adding more examples and features in the near future. Please feel free to e-mail us at support@apconnections.net with feature requests and bug reports on this tool.
Note: You must have a current NSS to receive the NUQ-API toolkit software. It is not
enabled with the default system.

UserGuide Manual Nertqualizer

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

UserGuide Manual Nertqualizer

Загружено:

Авторское право:

Доступные форматы

User Guide

NetEqualizer User Guide

Copyright 2005, 2006, 2007, 2008, 2009, 2010 APConnections.

All rights reserved.

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Bandwidth Rules: Priority and Limits .................................................................. 11

Bandwidth Limiting Rules .......................................................................................... 12

Removing Bandwidth Priority or Limiting Rules ................................................................ 19

Bandwidth Usage .......................................................................................... 20

Monitoring and Reporting ................................................................................ 24

Historical Reporting ................................................................................................. 29

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Where to Install NetEqualizer

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Using the RATIO Parameter to Influence Default Mode

Parameters to Adjust Equalizing Sensitivity

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Parameters to Size Internal Tables

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Viewing your Parameter Settings

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Bandwidth Priority Rules

All rights reserved rev. 20100921

Setting Priority Hosts

Bandwidth Limiting Rules

Setting Connection Limits

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Setting Hard Limits by IP

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Setting up Bandwidth Pools

All rights reserved rev. 20100921

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Setting Hard Limits by VLAN

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

Setting Hard Limits by MAC address

Removing Bandwidth Priority or Limiting Rules

All rights reserved rev. 20100921

Setting User Quotas (User-Quota API)

APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.

All rights reserved rev. 20100921

quota_set_alarm quota_remove_alarm quota_reset_ip quota_status_ip

quota_rules ADD_CONFIG HARD

REMOVE_CONFIG HARD QUOTALOG